Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

People who like this

3 Answers

Personally, I feel that transaction deserves some love. I know it is an expensive command, but it is also a powerful one with some very useful features. If you decide to keep using transaction, you can simply add the keepevicted=t flag to the transaction command to get the information you want.

It will add a closed_txn field which denotes transactions that were:

Opened and closed (both the startswith and endswith conditions were met). In this case, closed_txn=1

Only opened (only the startswith condition was met and therefore the transaction was evicted). In this case, closed_txn=0

So to find jobs that started but didn't complete in your time window, add | search closed_txn=0 to your search after the transaction command. If the search is running too slowly, use fields to reduce your field extractions prior to running your transaction. The whole thing might look something like this:

Don't get me wrong. I do love and use the transaction command; it is very powerful and versatile. When it comes to just getting the duration of a job and depending on the volume of your data and timeframe of your search though clever use of stats can get you to the same ends with a little more efficiency.

Both your answer and @Runal worked. Because it was a smaller subset, I ended up sticking with transactions. The fancy evals from @Runal inspired me to improve my dashboard panel!. I had to remove duration>0 in order to see jobs that had started but not finished. I really like the idea of | eval Job_Status=if(closed_txn=0, "Incomplete", "Complete"), however it was showing complete for jobs that had started but not finished.